NIS2 Supply-Chain Security per § 30(2) No. 4 BSIG

§ 30(2) No. 4 BSIG requires you to actively manage the security of your supply chain. In practice this means: assessing the cybersecurity risks of your direct suppliers and service providers, embedding security requirements in contracts, and securing audit rights. Ignoring this obligation risks a fine of up to EUR 10 million under § 65 BSIG. This guide explains the specific requirements, introduces a battle-tested A/B/C tiering model, and provides a CC-BY-4.0 licensed contract clause template as a PDF download.

What does § 30(2) No. 4 BSIG actually require?

§ 30(2) No. 4 BSIG requires affected entities to address "security in the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers" as part of their risk management. The BSIG transposes Art. 21(2)(d) of the NIS2 Directive into German law.

In practice, this means:

• •Identifying all suppliers and service providers that have access to your systems or data
• •Risk-assessing each critical supplier using a documented procedure
• •Embedding security requirements in contracts (minimum standards, incident reporting, audit rights)
• •Continuously monitoring the security posture of suppliers
• •Documenting all measures as evidence for BSI supervisory requests

Important: the law refers to "direct suppliers" (Tier 1). Indirect suppliers (Tier 2+) are not directly addressed but should be included in your risk management whenever they represent critical dependencies.

Which suppliers are considered critical?

Not every office-supply vendor needs the same scrutiny as a cloud provider running your production systems. A risk-based approach uses three criteria:

Criterion 1: Access depth

• •No access: supplier delivers purely physical services with no IT touch-point
• •Indirect access: supplier processes non-critical data
• •Direct access: supplier has access to your networks, systems, or critical data
• •Privileged access: supplier has admin, root, or key-management access

Criterion 2: Availability criticality

Ask yourself what happens if the supplier fails or is compromised. Can your service keep running within 24 hours without this supplier? The longer the dependency window, the more critical the supplier.

Criterion 3: Sensitivity of data processed

Suppliers processing personal data, trade secrets, or security-sensitive information are automatically high-criticality, regardless of the access model.

Supplier Lifecycle: From Onboarding to Exit

NIS2 supply-chain security is not a one-off contract exercise. It is a continuous process across the entire supplier lifecycle.

Phase 1: Onboarding (pre-contract)

• •Security questionnaire or self-assessment by the supplier
• •Review of existing certifications (ISO 27001, SOC 2, BSI C5)
• •Risk classification using A/B/C tiering (see below)
• •CISO or security officer sign-off for Tier-A suppliers

Phase 2: Contract

• •Inclusion of all 7 core clauses (security level, incident reporting, audit rights, subcontractors, data location, BC/RPO, penalties)
• •SLAs for security updates and patch timescales
• •Consent requirement before subcontracting

Phase 3: Ongoing monitoring

• •Annual security questionnaire or re-assessment
• •Certificate renewal check on expiry
• •Incident escalation when the supplier reports a breach
• •Continuous monitoring for Tier-A suppliers (e.g. via SecurityScorecard)

Phase 4: Exit and offboarding

• •Revoke all access (VPN accounts, API keys, certificates) immediately on contract end
• •Written confirmation of data deletion or return
• •Closing security report filed in your documentation record

The 7 Core Clauses for NIS2-Compliant Supplier Contracts

These seven clauses form the minimum you should embed in contracts with critical suppliers. All seven appear in the CC-BY-4.0 contract clause template (PDF).

Clause 1: Security level

The supplier commits to maintaining an information security level consistent with the state of the art. For Tier-A suppliers, include a specific reference to ISO 27001 or BSI IT-Grundschutz. The clause should give you the right to be notified if the security level changes.

Clause 2: Incident reporting

Security incidents at the supplier that could affect your systems or data must be reported to you within 24 hours of the supplier becoming aware. This is critical for you to meet your own NIS2 reporting obligation under § 32 BSIG. The clause should define the reporting channel, the responsible person, and the minimum content required.

Clause 3: Audit rights

You, or a third party appointed by you, have the right to assess the supplier's security posture at least once a year. The assessment may take the form of a questionnaire, document review, or on-site audit. For Tier-A suppliers, include the right to unannounced audits where there is reasonable suspicion.

Clause 4: Subcontractors

Subcontracting any part of the services requires your prior written consent. The supplier must ensure subcontractors are bound by the same security requirements and must provide you with an up-to-date subcontractor list on request.

Clause 5: Data localisation

Data may only be processed and stored in pre-agreed jurisdictions. For particularly sensitive data the EU/EEA should be the minimum requirement. Any change to data location requires your approval.

Clause 6: Business continuity and RPO

The supplier must maintain documented business continuity plans and guarantee a Recovery Point Objective (RPO) of no more than [RPO] hours for critical data. In the event of a failure, a Recovery Time Objective (RTO) of no more than [RTO] hours must be met.

Clause 7: Contractual penalties

A breach of material security obligations (in particular the incident reporting obligation and refusal of audit) triggers a penalty of [AMOUNT] EUR. The penalty is credited against any further damages claims. The right to extraordinary termination in the event of serious breaches remains unaffected.

A/B/C Tiering: Risk-Based Supplier Classification

A three-tier model lets you allocate resources where they matter most and calibrate the depth of measures to actual criticality.

Document your tiering decisions with reasons. The BSI can request to review the criteria behind your risk classification as part of its supervisory activity.

Common Mistakes and How to Avoid Them

• •No complete supplier inventory: Build a central supplier register covering every third party with system access or data access. Cloud services, SaaS tools, and external developers are frequently overlooked.
• •Missing contract clauses in legacy agreements: Review existing contracts and request amendments from critical suppliers. If they refuse, you must be able to justify continuing the contract from a risk perspective.
• •Audit right exists only on paper: Schedule concrete audits and conduct them. An audit right that is never exercised carries no evidential value with the BSI.
• •Incident reporting deadline set too long: Agree on 24 hours, not 72 hours. You need a buffer to assess internally and, if necessary, report to the BSI yourself.
• •No visibility into subcontractor chains: Actively ask for your critical suppliers' subcontractor chains. Unexpected subcontractors in high-risk countries can increase your own NIS2 exposure.

CC-BY-4.0 Contract Clause Template as PDF

The contract clause template contains all 7 core clauses with fully drafted model text and placeholders for [NAME], [DATE], [RTO], [RPO], and [AMOUNT]. It is published under the Creative Commons CC-BY-4.0 licence: free to use, share, and adapt, with attribution to "Kopexa GmbH, kopexa.com".

Related Resources

Supply-chain security does not stand alone. These pages help with the bigger picture:

• ›NIS2 Requirements under Art. 21 All obligations at a glance, from risk management to incident reporting
• ›NIS2 Reporting Obligation under § 32 BSIG Three-stage reporting chain with CC-BY-4.0 template
• ›ISO 27001 Control A.5.19 Mapping Map NIS2 requirements to ISO 27001 Annex A controls
• ›NIS2 Fines under § 65 BSIG What is at stake when § 30(2) No. 4 is violated
• ›ISO 27001 A.5.19: Information Security in Supplier Relationships Control details for supply-chain security